efc87d650b9166e5b73e00b19ef95f70c28bae06ec4e87def95da60bf051dfcd

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Size

344KB
MD5

c7ee460d323c5578ec8d56c1aec7d099
SHA1

560ee81d8b7f4ac4ab0661c1b38b8039f5522c67
SHA256

efc87d650b9166e5b73e00b19ef95f70c28bae06ec4e87def95da60bf051dfcd
SHA512

f874ef9b36352eb2ead20f1ef3031a5b8c1076530c1825385d60b0a7c90ac4a104404164cde3893c6d7f95d08f052bfd9490001d5c92799469acbcb2dc4b1614
SSDEEP

3072:mEGh0oPlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGhlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648E5968-0166-4b92-AF17-7F9E344E7EE6}	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}	{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}\stubpath = "C:\\Windows\\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe"	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}\stubpath = "C:\\Windows\\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe"	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}\stubpath = "C:\\Windows\\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe"	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}\stubpath = "C:\\Windows\\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe"	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}\stubpath = "C:\\Windows\\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe"	{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4B35089-3F38-404e-9DF1-173926B0B76B}	{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC7F538-64F9-4133-91E9-730160A82905}\stubpath = "C:\\Windows\\{1DC7F538-64F9-4133-91E9-730160A82905}.exe"	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}	{1DC7F538-64F9-4133-91E9-730160A82905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648E5968-0166-4b92-AF17-7F9E344E7EE6}\stubpath = "C:\\Windows\\{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe"	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}\stubpath = "C:\\Windows\\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe"	{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}\stubpath = "C:\\Windows\\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe"	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4B35089-3F38-404e-9DF1-173926B0B76B}\stubpath = "C:\\Windows\\{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe"	{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}	{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC7F538-64F9-4133-91E9-730160A82905}	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}\stubpath = "C:\\Windows\\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe"	{1DC7F538-64F9-4133-91E9-730160A82905}.exe

Deletes itself 1 IoCs

pid	Process
940	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe
2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
1736	{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
564	{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
580	{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
1928	{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1DC7F538-64F9-4133-91E9-730160A82905}.exe	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
File created	C:\Windows\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	{1DC7F538-64F9-4133-91E9-730160A82905}.exe
File created	C:\Windows\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe	{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
File created	C:\Windows\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
File created	C:\Windows\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
File created	C:\Windows\{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
File created	C:\Windows\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
File created	C:\Windows\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe	{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
File created	C:\Windows\{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe	{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
File created	C:\Windows\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
File created	C:\Windows\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
Token: SeIncBasePriorityPrivilege	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
Token: SeIncBasePriorityPrivilege	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe
Token: SeIncBasePriorityPrivilege	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
Token: SeIncBasePriorityPrivilege	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
Token: SeIncBasePriorityPrivilege	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
Token: SeIncBasePriorityPrivilege	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
Token: SeIncBasePriorityPrivilege	1736	{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
Token: SeIncBasePriorityPrivilege	564	{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
Token: SeIncBasePriorityPrivilege	580	{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2316	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	28
PID 1152 wrote to memory of 2316	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	28
PID 1152 wrote to memory of 2316	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	28
PID 1152 wrote to memory of 2316	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	28
PID 1152 wrote to memory of 940	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	29
PID 1152 wrote to memory of 940	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	29
PID 1152 wrote to memory of 940	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	29
PID 1152 wrote to memory of 940	1152	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	29
PID 2316 wrote to memory of 2756	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	32
PID 2316 wrote to memory of 2756	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	32
PID 2316 wrote to memory of 2756	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	32
PID 2316 wrote to memory of 2756	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	32
PID 2316 wrote to memory of 2908	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	33
PID 2316 wrote to memory of 2908	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	33
PID 2316 wrote to memory of 2908	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	33
PID 2316 wrote to memory of 2908	2316	{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe	33
PID 2756 wrote to memory of 2640	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	34
PID 2756 wrote to memory of 2640	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	34
PID 2756 wrote to memory of 2640	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	34
PID 2756 wrote to memory of 2640	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	34
PID 2756 wrote to memory of 2528	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	35
PID 2756 wrote to memory of 2528	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	35
PID 2756 wrote to memory of 2528	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	35
PID 2756 wrote to memory of 2528	2756	{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe	35
PID 2640 wrote to memory of 2540	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	36
PID 2640 wrote to memory of 2540	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	36
PID 2640 wrote to memory of 2540	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	36
PID 2640 wrote to memory of 2540	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	36
PID 2640 wrote to memory of 2548	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	37
PID 2640 wrote to memory of 2548	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	37
PID 2640 wrote to memory of 2548	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	37
PID 2640 wrote to memory of 2548	2640	{1DC7F538-64F9-4133-91E9-730160A82905}.exe	37
PID 2540 wrote to memory of 2492	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	38
PID 2540 wrote to memory of 2492	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	38
PID 2540 wrote to memory of 2492	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	38
PID 2540 wrote to memory of 2492	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	38
PID 2540 wrote to memory of 2392	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	39
PID 2540 wrote to memory of 2392	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	39
PID 2540 wrote to memory of 2392	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	39
PID 2540 wrote to memory of 2392	2540	{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe	39
PID 2492 wrote to memory of 3016	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	40
PID 2492 wrote to memory of 3016	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	40
PID 2492 wrote to memory of 3016	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	40
PID 2492 wrote to memory of 3016	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	40
PID 2492 wrote to memory of 1216	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	41
PID 2492 wrote to memory of 1216	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	41
PID 2492 wrote to memory of 1216	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	41
PID 2492 wrote to memory of 1216	2492	{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe	41
PID 3016 wrote to memory of 1568	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	42
PID 3016 wrote to memory of 1568	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	42
PID 3016 wrote to memory of 1568	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	42
PID 3016 wrote to memory of 1568	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	42
PID 3016 wrote to memory of 1436	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	43
PID 3016 wrote to memory of 1436	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	43
PID 3016 wrote to memory of 1436	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	43
PID 3016 wrote to memory of 1436	3016	{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe	43
PID 1568 wrote to memory of 1736	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	44
PID 1568 wrote to memory of 1736	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	44
PID 1568 wrote to memory of 1736	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	44
PID 1568 wrote to memory of 1736	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	44
PID 1568 wrote to memory of 896	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	45
PID 1568 wrote to memory of 896	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	45
PID 1568 wrote to memory of 896	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	45
PID 1568 wrote to memory of 896	1568	{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
  C:\Windows\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
    C:\Windows\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{1DC7F538-64F9-4133-91E9-730160A82905}.exe
      C:\Windows\{1DC7F538-64F9-4133-91E9-730160A82905}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
        
        C:\Windows\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
        
        C:\Windows\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
        
        C:\Windows\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
        
        C:\Windows\{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
        
        C:\Windows\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
        
        C:\Windows\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
        
        C:\Windows\{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe
        
        C:\Windows\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe
        12⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4B35~1.EXE > nul
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB701~1.EXE > nul
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E2FB~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{648E5~1.EXE > nul
        9⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DEC7~1.EXE > nul
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CAF~1.EXE > nul
        7⤵
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85DFE~1.EXE > nul
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC7F~1.EXE > nul
        5⤵
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66A19~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99F0B~1.EXE > nul
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DC7F538-64F9-4133-91E9-730160A82905}.exe

Filesize
344KB

MD5
892068447b3b47fcf563d309ba512687

SHA1
08d0c2e83d4e217eaf41a469239df43de2579ec1

SHA256
3b7a7a210110e5b2b7d0fcd830b3cd834dc6770eb9a432065a13626f6249280e

SHA512
208c9675431cc01c0791ab5151beadcb6992f4c9515aceb00b8d1f36c640eae2c93daaa567bcb9060e58d260f25c4acd04ae549d8d3c67cffab2027f9f2380a8

Download Submit
C:\Windows\{3E2FBFE6-5830-4604-AAFE-9BBDDA3253E5}.exe

Filesize
344KB

MD5
e5c15a3b8c0a979cf47944de0b616c5a

SHA1
8fa92d11c8a271da29cae9b0d0db46a01f111f98

SHA256
6ae27736b69156d621d82ded6365cdba1ab3946f4468f96b69f1718df5d7221e

SHA512
80b51fdf2b9902683b970bd6327fa7c055b98731f356742c271c97229764fbfe3942cfcdaa02c392630e3b3eb6023b356ea65609768e1aed4f088f055ef82ad7

Download Submit
C:\Windows\{648E5968-0166-4b92-AF17-7F9E344E7EE6}.exe

Filesize
344KB

MD5
0770b5446ceb1263831bda1e08fbd174

SHA1
516075944b6391b627d742cfcb39083aa5061fce

SHA256
fac7048036ae5f0a4c3b6bb2dafad6b1322c1b6eaff6c7204150e86a23d96d97

SHA512
aec9ee7ba3e6a17c154d1371bf2fccd4cc53ab8f6e670f4b31c80064ecf156ca6ede6020c5921743f0c2e25636274a8fc366cb980ffb140f4d2daa793f99c197

Download Submit
C:\Windows\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe

Filesize
344KB

MD5
4b785d1b4bea9bd33e7e7f3eb8fd8531

SHA1
bcac44f4d05ea2513a1dec6d249d08976ab80ea6

SHA256
e68f95963b1ea272804021cf701126b57c43cb02d70121c018d3adf02cc68350

SHA512
db4ff341afdf0e5a5ef98f8b0d32fb3c8cc4bdbc4816836b282c838fed238f033c4d2f698540c0fa276210c498850d325f03e522286a2b5c470e7d65450c3a6e

Download Submit
C:\Windows\{66A19FD2-4FDD-467d-AB66-CF9476814EDA}.exe

Filesize
81KB

MD5
924f0e873fd32448d5c0cc1493e8706a

SHA1
87e7760bf56f0f95421b6965cf15da06bdcb954a

SHA256
9813564683d161be7ab2d437a65fd4cb29c9e126a5f646eae653c87d956fd567

SHA512
5fd24d613af5b7450dafa4d53d70d1e98ef4447b481fc4a39ebc43c5a5023b2fc4b8e478de25cb86673628ad89a0ee0773a3771419b44d22030c5dd0d33ad10d

Download Submit
C:\Windows\{6A086A5F-487C-4a7d-BEF8-A49637ECF742}.exe

Filesize
344KB

MD5
8a34fe06057d9889fd68ff05bcb1616c

SHA1
bc6ff7162c8993e5126b79ed162ee4d4b7f3fbce

SHA256
02af8d5906d40c70f05d5cc779aee92c462c09928120d8dd455ddd36c4a0fa5d

SHA512
7aea5e7839b6291d413636350bc7411a6ff268ac2efc6da0d34d481f16929ff22a3d3d96b89b380eaff211dbc4751fed54efcd3c311191b0b7b260410712c183

Download Submit
C:\Windows\{6DEC784D-BD18-4bf6-A7C7-4BB73F1425B0}.exe

Filesize
344KB

MD5
7018367b8de4e127330ad3565c2f049b

SHA1
434a815607ef63f109581ac597bad756c710a30b

SHA256
7fec214e57e08e1d19e34372ac17c3d3b40420ffacbd04d04ccdaea916eac80a

SHA512
a236691802586b59afc4314096e4e481386b029a3611e5231a90ac2841560ea634c4f47800e4ffaa26c0f05806c7a9c3e2e700567be9b4583e18717f97fdb1fc

Download Submit
C:\Windows\{85DFE31C-B6EA-479a-9EE5-37F93B89F80A}.exe

Filesize
344KB

MD5
25da0aa81ef8bdab9f8bdbbaed5ac67f

SHA1
e08cf570c685ee67b9c5fa8da242377140366b30

SHA256
d57024cd28ae60999b9688b4cc4ba018928bfb8ccf0d0a72897d222752ae038e

SHA512
2e639f6ba650291fde529f97909e97a0cf26454c8664e4c312b6d83ce7a342a71999a05cd189962c88ba0f2a1c90e379aa34370e1102b25ebf581725df2afda2

Download Submit
C:\Windows\{99F0BB4F-0D4E-4687-9A9C-B9B5E408946E}.exe

Filesize
344KB

MD5
637c77cc8907caa09e6ee4cdd9d4cb79

SHA1
d6a15441fff8bb2517b241ec54ef0b85a20faeaa

SHA256
c6909017f00cdf71b1c1c1bb3cd79f935260727a38d06ae8d4f7f001cf1999a9

SHA512
b1ccd25803f18c8bc41d6442ea18c6cd338bfa044415e56bfdb36de05124be49a74b8f61e726c9a45a1cd8caff7e6e23310ceabe247bafc9b14e4099a1d1da64

Download Submit
C:\Windows\{C3CAFDB4-D2F1-409f-9CF6-A1D817DF6AC7}.exe

Filesize
344KB

MD5
55ba23b7323092ec9fe5422c1d944f72

SHA1
182888a758439b2e7d47a469d1d9bf1850a9ba15

SHA256
181f258ca9403777d29d172d63784d524ff22e6fafb61fc8cf74ae623d06b509

SHA512
7dd449e77e426e4bcf7e4174171daf1c1c542de5c3c95b941259b28fb20731e289fc6c92cd22136bce77d6c4baf0c2afdfbdd11449ec03c8fb8bc9e09f39d65d

Download Submit
C:\Windows\{D4B35089-3F38-404e-9DF1-173926B0B76B}.exe

Filesize
344KB

MD5
7a71bb81912d300bf46ef3bc91ff3b1e

SHA1
d0e14fc0783a60946050395c3132d8b340c49fb2

SHA256
b3ef199d3ed6f55c64d3a0ec35078329547378c5c10dd93af39be8c6fc280762

SHA512
00e85eed90eab43f19f75d5dc601642866664d3327a36687498b723f62bb9db80a009bb38a2543b7071565f985abab88018b46a68b0af8d97884c49e0e9c46b2

Download Submit
C:\Windows\{FB701D47-59D5-4dc8-8BBF-62A7A5ECD234}.exe

Filesize
344KB

MD5
1ba103e9cc33f8b7e243bd65032e0891

SHA1
c46410a6503c374e7dd53ead4c6048dacf7884f0

SHA256
664345a297270a733cfb24f1b45745febb2954fc0eba61ba5b1d50c87d642e3b

SHA512
86d0d3f07480060db2c31f0a3ef13381f0d6e3529fca77f6d9389fcf805dcce3486d17ecae1f8cc5f5726529888d7a14c1be1a7fda60576fc506fe221c3774f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads